Richard Clark, the new Cybersecurity Advisor for the Bush Administration, spoke at the annual Black Hat Conference of Information Technology Professionals on Wednesday. Clark encouraged attendees to contribute to the search for software bugs due to the fact that software makers rarely find all the mistakes in their code. The catch, however, is that Clark favors non-disclosure of the bugs found; instead, he stated that the vendor should be notified first, and if the vendor fails to be responsive the government should be contacted as the next step. In addition, the general public should not be notified about a particular vulnerability until after a patch is issued. Clark also made the point that it is irresponsible and damaging to post information on a hole before the vendor has issued a patch.

Full disclosure has been a long debated issue in the security community. Vendors say that no vulnerability should be known amongst the general public until a patch is available; some in the security community say that security by obscurity doesn't work, and that Black Hat hackers are capable of finding vulnerabilities and crafting exploits on their own. Additionally, there are some in the security community who say that although posting information on a vulnerability is good, posting exploits it unnecessary and damaging, as making exploits available gives malicious hackers an extra advantage they don't really need.

This middle ground approach has been dubbed “limited disclosure” by Richard Smith, a security professional at the head of ComputerBytesMan.com. Smith maintains that bug finders, vendors, and Bugtraq are all part of the problem. Vendors are sometimes not responsive, bug finders sometimes release exploit code, and Bugtraq is where it all gets posted–in fact, Bugtraq has become a breeding ground for security professional wannabes, according to some in the hacker community. Smith stated that fixing old code is “… right out there with taking out the garbage,” meaning that programmers would rather write new code that fix the old. And in fact, there is sufficient evidence to support this theory, as reported earlier.

RON'S OPINION
The bottom line here is that this is not a perfect world, and things break. I am not stating this to absolve me of all my previous opinions, as I still believe what I wrote in previous articles. I find that as I read and learn more about the security community I write about, however, my views change because, hopefully, I learn from the people whose writings I read.

Limited disclosure, I believe, is a compromise between security by obscurity, which most large corporations who distribute software fully support, and full disclosure, which, in its extreme literal interpretation, allows for the exploitation code to be posted due to its benefit to the security community.

Richard Smith further stated that Clark's model would work in a perfect world where the vendors were responsive either to the hacker(s) who discovered the bug, or the government officials who oversee such matters. Furthermore, Clark assumes that the government agencies/officials would actually give hackers the time of day when it comes to finding vulnerabilities, and would actually go to the vendors and make things happen.

I believe that the larger an entity is (whether it be government or corporate) the longer it takes to get things done within the channels of that entity, and that entity actually becomes less productive and less efficient. This, in effect, makes Clarks model unworkable, not because he is incorrect in some of his statements, but because in reality vendors aren't responsive to hackers or government officials. Additionally, government departments responsible for such things as going to vendors with incidents of their unresponsiveness will likely not follow through in most cases, not demanding a solution to the problem found.

That said, there will eventually be laws governing the disclosure of vulnerabilities, and those laws will most likely be crafted by the very corporations that do not want vulnerabilities in their code disclosed. Although I really want a balance between publishing exploit code and clamping down on vulnerability publicity completely, I fear that, as in most other instances, the real criminals will ruin it for those of us who want to do the right thing.

USER COMMENTS 18 comment(s)

Clark is right on…(12:29pm EST Fri Aug 02 2002)Richard Clark hit the nail on the head here, I believe. However, as Ron pointed out, the faults in Clark's plan is basically the large beauracracy hackers must work with.

Of course, we do not actually know that it will be like other beauracracies – i.e. there will be long periods of time needed to respond and there may not be enforcement or followup. However, one thing Bush did well is create this Cyber Security position and filled it with someone who at least knows a lot about it.

That said, perhaps with the Bush Administration's understanding that Cyber Terrorism, Cyber Security (and all the other buzzwords) are DIFFERENT from standard terrorism and security needs. Therefore, there is a good chance that the beauracracies created around this will have better control (hopefully, less “levels” to wade through).

We could have Clark (or whomever) head the agency, then have one level below him, as station chiefs (broken up into more specialized areas), then under these chiefs have agents who deal directly with Vendors and Hackers. It all depends on the skill of the people, of course.

Still, I think most people will be patient enough to understand that for the Federal Government to create such an agency will take time, and there will probably be bumps in the road. To most politicians, this computer-thingy is still pretty new (or even undiscovered).

Just my $0.02 worth (and much better than that useless first-post moron).– by myrkat

I'm glad you posted this thread(12:32pm EST Fri Aug 02 2002)Does anybody have a link to the actual talk? The news outlets all said he mentioned “five groups” and then only named Microsoft and government. Who are the other four? Did he actually say “microsoft” or did he really say “software makers”?

Of course he is going to lean toward “security through obscurity”, as that IS the best- for the developer! It is most definately NOT the best for teh end user, who always has the workaround of buying a competing product. – by /sm

this is bunch of sh*t(12:32pm EST Fri Aug 02 2002)The only reason that they don't want bugs to be posted is that it damages their precious egos. The real problem that plagues the computing community is that people don't react properly when a hole is found, if a hole is found and there is no patch available then stop the service, or for gods sake run a different program in place of the compromised one, at least temporarily. I used to work for hosting and development company that hosted a large security related web site, and let me tell you if there was anyhting that was exploitable it happened. All i hear now is bunch of whinners who don't want to deal with the world they helped to create. The sys admins need people to mess with there systems, the people who mess with systems need the admins to repair the damage. If you can't take the heat… – by sick of hearing it

What about all the “non-issues”(12:40pm EST Fri Aug 02 2002)Every day I see supposed “critical security holes/flaws/bugs” reported. In many instances, when I do the research and dig down past the hype that the original news outlet was spewing, I find that the issue was blown WAY out of proportion. Why? Because it benefits the “security expert” who found the “hole/flaw/bug” by getting him and his fly-by-night outfit free publicity. It benefits the news outlet by appearing to be the first to press with the hottest new security news. It's a self-perpetuating symbiosis of FUD and hyperbole. Sure there are issues to be resolved but with everyone crying wolf about every little thing soon people are going to go deaf to all issues. What needs to happen is for there to be a national clearinghouse for all these issues like CERT at Carnegie-Mellon. CERT would rate the risk, inform the vendor, insure that they follow through, make the announcements, and record the metrics. There would be laws to impose stiff fines scaled by market share for vendors that did not respond with patches immediately. Open source would not be safe either. If you wrote any part of it or distributed it you'd be liable for the fines just like a legitimate outfit. All bugs would be reported at the same volume, not just Microsofts' – by baarod

all bugs..(12:50pm EST Fri Aug 02 2002)All bugs are posted “not just microsoft” Am I seeing a pro M$ movement popping up? I have seen so many people here defending the EVIL EMPIRE. It's like you people forget that Billionaire Gates is the richest man in the world, for him to have all of that we have to stay don here and work our a**es off for the little we get. Besides baarod do you not read bugtraq/unix? it's all there you're just think that M$ is the center of the universe. Anyone who isn't freed must be considered a threat… – by sick of hearing it

Uhmm…. NO MODEL???(1:08pm EST Fri Aug 02 2002)The Feds don't know when to SIT DOWN AND SHUT UP. Software and the internet are the ultimate free market creation, and it needs to be left the hell alone while it matures. As with anything in a free market- BUYER BEWARE.

The pervasion of the instantanious communication we have has made it so that every little societal hangnail is now treated as if it were cancer. Empathy and compassion with legislation will destroy us. There are many times that “That is not my problem, that is your problem.” should be said, but is not because it would seem cold, but would put the onus on the INDIVIDUALS RESPONSIBLE. Instead the Fed is forced to stick its nose into places where it is not needed. This is yet one more. – by Hulkamaniac

Does anyone(1:14pm EST Fri Aug 02 2002)know if the M$ eula differs that much from the GPL? I mean I know that the are copyrights, but do they guarantee that it will work? If none of the commericial software companies can guarantee their products, than I say they can all shut the #$%& up!! – by sick to death

myrkat: “the beauracracies created around this will have better control…”

Some of us don't like the idea of government being “in control”. All we want out of governmnet is roads, schools, and prisons (and we doon't want to pay for them… hmmm…”

“Just my $0.02 worth”

I'm afraid that your Federal bureaucracy will cost quite a bit more than that… and nobody has enumerated either the cost or the benefits of this bureauacracy. “Do something, even if it's counterproductive!!!”

baarod: “inform the vendor, insure that they follow through”

Following through should entail sending an email to every registered customer within five minutes of hearing about it, before they do ANYTHING else. The customer can then shut off the service and/or run a different product.

This benefits the provider, as the providers have been trying forever to get people to actually REGISTER.

Make reporting to the customer by the vendor MANDATORY under penalty of jail. Damn it, if I'm running an insecure service I'M the one at risk, not the government, not the vendor, not the “public at large”. Tell ME.

sick of hearing it: “It's like you people forget that Billionaire Gates is the richest man in the world”

How much money Bill Gates or you or anybody else has is of no concern to me. What IS of concern is that he is running a monopoly that allows him to sell shoddy goods at a premium price.

Keep your eye on the ball or it will hit you in the head.

Hulkamaniac: “Software and the internet are the ultimate free market creation”

No they're not. Computers were developed to compute mortar firing trajectories for the Army, paid for by the UIS government. The internet started as a DARPA project, also government funded.

– by /sm

…continued here…(3:32pm EST Fri Aug 02 2002)I'd say a central tenet of capitalism is that “he who pays the piper calls the tune”. And the government got it started, not free enterprise.

However, the internet was started as a library, not a shopping mall. A place where intellectual works, copyrighted and not, can be donated for all to use for free, just like any other library. WTF happened to my library??? Now there are checkout counters and gun-toting policemen everywhere you look! What kind of library is this, any way?

sick to death: Linux is not a company, Microsoft is. Your question should be how Red Hat's or Mandrake's eula differs from MS's.

I never read either one of them. Why should I have to agree to a contract after I already paid my money? When I buy a car or a house, the papers are signed BEFORE I pay a dime- I don't pay, then sign (then read) the contract.

An unsigned contract is NOT a contract, and I do not under any circumstances have to abide by it. If you don't want me doing any damned thing I want with your software, don't put it in a retail store.

A warrantee, now, I'd like to get one from MS AND MAndrake. Too bad I can't. – by /sm

to /sm(3:53pm EST Fri Aug 02 2002)All i was trying to point out is that the gpl only offers the software to user, it does not guarentee that is “fit for any particular use” where as it was a HP a commericial venture that decided that it wasn't ok to publish bugs. This was inresponse to baarod's 'All bugs would be reported at the same volume, not just Microsofts' please don't misunderstand me, i am an advocate of 'full disclosure' i also use *nix and was pointing out the fact that there are always going to be holes found in software, despite the fact that I feel linux to be a superior system I have no dilusions about the security risks involved in conecting to the internet. And besides any one who charges money for a piece of software that does the same things others do for free, (and better I might add) then you desrve to have your flaws exposed. – by sick to death

Good thing they don't just build roads! I am not a big-gov't person by any stretch of the means however, I do recognize that there needs to be oversight (at least occasionally) or else we're back in the stone age awfully quick.

OK, maybe not the stone age, but at least the wild west: as soon as we adopt a buyer-beware, every man for himself attitude, that's precisely what will happen.

Security through Obscurity is NOT a bad idea, it's just being abused by LAZY DEVELOPERS/VENDORS. Who can argue that by NOT clearly spelling out security holes, less threats would occur? However, I am not blind to the fact that it can easily be abused and thus, the obscurity becomes… well, obscure!

If everything were fair, holes would be patched, and no one would know – other than a patch was being released. Obviously, this ain't a perfect world.

Stage 3: public release (Bugtraq etc)– Appropriate: if no firm timetable for delivery of patch or other course of action communicated to discoverer– Time: 1 week folloing government notification

Identify the stages, agree on them in open fora, and tell vendors and government that if they want limited disclosure, these are the service standards they'll have to meet. If they don't meet service standards then, obviously, 2 weeks following discovery, you'd have publication.

Why not? – by thinkingcap

Let the public know(5:50pm EST Fri Aug 02 2002)Letting the public know about security holes lets customers stop using the product until a patch is provided.– by DS

No they're not. Computers were developed to compute mortar firing trajectories for the Army, paid for by the UIS government. The internet started as a DARPA project, also government funded.– by /sm”

The tense of the “be” verb “are” is different than the tense of the “be” verb “was”. What “was” and what “is”(same tense as are) are not always the same. Computers and software, and their place in the world ARE much different than they WERE.

The free market made tech what it is, regardeless of who concieved of or invented the tech. – by Hulkamaniac

Tech was created…(1:09pm EST Sat Aug 03 2002)by hard working engineers. They would have designed it as a career whether you bought it or not, as big iron. The pc market is not driven this way either. The only market that is driven this way is the consumer(home, M$) pc market, which is very diverse & if it went away tomarrow would solve alot of problems in todays tech market. – by tech

Clark's plan make good sense…(1:15pm EST Sat Aug 03 2002)…for closed source software like Windows and such but it totally unworkable for open source. Open Source means open disclosure, all of the time. You could be quiet about a discovered exploit in say, BSD Linux, but then you lose the power of the community to help fix it.

But to disclose an exploit for Windows when there is no patch or a way to turn it off is just asking for trouble. Still, I would hate to see that criminalize – but then with the damn DMCA, it may all ready have. – by UrGeek

Didn't Clark read the DoD report on open source.(1:28pm EST Sat Aug 03 2002)Clark should read the DoD report on open source. Remember when Microsoft lobby the Pentagon to stop using Open Source for security purposes.The Department of Defense did a study of Open Source as response. The study found that open source was more reliable, cheaper and more SECURE than close solution. The study also stated that the use of open source should be encouraged. – by open source secure

There it goes again(9:37am EST Mon Aug 05 2002)1. Take any issue and write about it